[Techtalk] Mandatory Access Controls
Julie
txjulie at austin.rr.com
Wed Jul 16 08:43:15 EST 2003
Subba Rao wrote:
> Hello,
>
> I have a very basic question regarding mandatory access controls(MACs).
>
> Using the following diagram:
>
> --------------------- ---------------------
> | Subject | | Object |
> --------------------- ---------------------
> | Clearance | | Classification |
> | Ex - Top Secret | | Ex - Top Secret |
> | | | |
> --------------------- ---------------------
>
>
> In the MAC model the "need-to-know" flag, restricts the subject to access the
> object. Is this flag, part of the subject's attributes or the object's
> attributes?
I didn't see a response, so I'm going to respond now that I have
more time.
In MLS (multi-level secure) systems, each subject and object
(and there are a lot of subjects and objects in such a system ;-)
is labelled.
So to answer your question, "both". The subject is labelled
with either the current classification, both hierarchical and
non-hierarchical, or the range of permissible classifications,
as is the object. When a subject attempts to access a single
level object, the label on the object is compared with the label
on the subject, and if the proper relationship exists, access is
permitted. In some instances the label on the object will be
modified, perhaps along with the label on the subject. When
subjects and objects support multiple levels all sorts of very
odd things can occur, but that's beyond the scope of your
question.
--
Julianne Frances Haugh Life is either a daring adventure
txjulie at austin.rr.com or nothing at all.
-- Helen Keller
More information about the Techtalk
mailing list